Voice Authentication for ATM Security

Transcription

1 Voice Authentication for ATM Security Rahul R. Sharma Department of Computer Engineering Fr. CRIT, Vashi Navi Mumbai, India Abstract: Voice authentication system captures the human voice and then verifies the same to find out the identity of the person who he/she claims to be. This paper proposes voice authentication mechanism for enhancement of Automated Teller Machines (ATM) security. ATMs are commonly used by the general public for money transactions. However, they always have fear in the mind whether the system is secured enough to protect their accounts. In voice authentication mechanism, along with card insertion and password entry, the user has to speak his voice password to confirm the verification. Initially the voice password of the ATM user is converted into voiceprint which is then encrypted and stored in the database. When a user wants to login into his/her account, the voice phrase spoken by the user is captured using a microphone and converted into a voiceprint which is then matched with the encrypted voiceprint stored in the database. In case of a successful match, the user gets access to the account. Voice authentication takes into account both physiological and behavioral biometric components. It is highly cost-effective in comparison to other biometric authentication techniques. Index Terms: ATM, voice authentication, ATM security, voiceprint, encrypted. I. INTRODUCTION access to his account. Figure 1 shows different parts of an ATM machine. Money transactions through ATM are convenient for the people. However, they always have fear in their mind whether the system is secured enough to protect their accounts. A large number of accounts have been hacked in the recent years. Since the system only requires a card and the password of the user, the system is vulnerable. The attackers only need to get the ATM card or its copy and password of the customer which is not very difficult in many cases. So, there is a need for a more secure system which identifies the customer according to some characteristics present only in the customer. For this, biometrics can be used. Biometric-based authentication [6] measures individual s unique physical or behavioral characteristics. It exists today in various forms such as fingerprint verification, retinal scans, facial analysis, analysis of vein structures and voice authentication. Of all these methods, voice authentication is the simplest and most user-friendly method. The user only needs to speak his password which is then converted into voiceprint, encrypted and then stored into the database. In this way, voice authentication will provide more security to ATM systems. Automated Teller Machines (ATMs) are commonly used by the general public for money transaction. People can view their accounts, their current balance and withdraw money from their account using ATMs. Since large amount of money is involved, a very high level of security is required for ATMs. The current system involves the use of an ATM card and a password to access the accounts of the user. On most modern ATMs, the customer is identified by inserting a plastic ATM card with a magnetic stripe or a plastic smart card with a chip that contains a unique card number and some security information such as an expiration date or CVV [4]. The user inserts his ATM card into the ATM machine and then enters his password (PIN). If the password is correct, then he gets 14

2 II. Fig. 1. Parts of an ATM [10] ATM THEFTS AND FRAUDS The following figures (Fig. 2 and Fig. 3) show a card skimming false front and a fake keypad respectively. These are some of the common methods followed by attackers to hack into any ATM account. III. CONCEPT The concept of voice authentication is fairly simple. Voice authentication attempts to verify that the individual speaking is, in fact, who they claim to be. This is normally accomplished by comparing an individual s voice with a previously recorded voiceprint sample of their speech. To register a user s voice password, once a new customer has been issued an ATM card, he/she is asked to visit the bank in order to enroll his/her speech. This voice sample of the user is recorded and stored in the database in the form of voice print. Then, to get access to his account, the user supplies a sample voice password to the system. If the voice password sample matches with the voice password stored in the database, then the user gets access to his account. Otherwise, the user will not get access to his account. A. Operational Requirements Fig. 2. False card slot affixed over the original card slot to copy card information [11] Proper user interface like built-in speakers or a visual clip should be incorporated to guide the user through the login process. Small and highly sensitive microphone to record the voice phrase which should be able to catch a fairly high percentage of the person s voice. ATM cabin should be tightly packed so that when the user speaks his password phrase, it should not be audible outside the cabin. Only one person at a time should be allowed inside the ATM cabin to maintain higher level of privacy. B. Principle Voice authentication technique involves two biometric characteristics of the user: Fig. 3. Fake keypad [11] There have been numerous cases of ATM thefts and frauds that have led to huge economic losses. Hence, there is a pressing need for a better security system for ATM. This security requirement can be fulfilled by the use of voice authentication. Physiological Biometrics: Physiological Biometrics [6] is concerned with some unique physical traits of the user, e.g. the voice tone and pitch of the user. Behavioral Biometrics: Behavioral Biometrics [6] are concerned with the unique way in which a user performs certain actions, i.e., the time which the user takes to speak his password, his accent, the words on which the user gives more stress, etc. 15

3 The voice of a user is created by air passing over the larynx or other parts of the vocal tract. The larynx vibrates creating an acoustic wave which is modified by the motion of the tongue and lips. All sounds produced are, fundamentally influenced by the actual shape of the vocal tract. This shape is brought about both as a consequence of hereditary and developmental factors. Along with these physiological characteristics, speech contains a behavioral component, i.e., the accent of the voice, how quickly words are spoken, how sounds are pronounced and emphasized, and what other mannerisms are applied to speech. So, every person will have a different voice pattern which is essentially unique for every individual, and are difficult or impossible to duplicate [3]. Since this system takes both of these biometric characteristics of the user into consideration, voice authentication system forms a very powerful technique for accurately identifying a particular user. C. Process The process starts with the registration (or enrollment) phase. In the registration phase, a user has to speak out his password in a microphone multiple times (say 5 times). So, the system has a small range over which the voice of the user will vary. This will lead to a better idea of the voiceprint of the user. The encrypted voiceprint is stored in a database. The next phase is the access verification phase in which the user speaks a voice phrase which is compared with the voiceprint stored in the database. If a sufficient degree of similarity is observed, then the user gets access to his account. This process is depicted by the flowchart in Fig. 5. D. Description of technology A continuous time signal x(t) can be completely represented in its sampled form and recovered back from the sampled form if the sampling frequency (f s ) is greater than or equal to the maximum frequency (W) of the continuous time signal x(t). f s W This sets a restriction on the value of sampling frequency to be greater than or equal to twice the maximum frequency of the input voice signal so that the signal is sampled fully without losing any part of it. The third step is to convert these sampled signals into digital signal so that it can be stored and processed in a computer. For this, these sample voltages are measured and fed into a device called analog to digital converter. This device assigns a value to each measured voltage level. The series of voltage measurements will therefore be turned into a sequence of numbers for example, 161, 159, 85, 10, 118, 282, and 161. These numbers are then encrypted using a strong encryption algorithm. Advanced Encryption Standard (AES) can be used for encryption. AES [5] is a specification for the encryption of electronic data established by the National Institute of Standards and Technology (NIST) in It is based on a design principle known as a substitution-permutation network and its algorithm is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256 bits) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 bits key lengths. The encrypted data is then stored in the database. E. Comparison of voiceprints The voice produced by a human vocal tract is a very complex acoustic wave. The first stage, converting it from a sound to an electrical wave is simple, using a microphone. The second stage involves converting the signal from a continuous wave to a series of discrete voltage measurements. This is done by a process called sampling. Sampling involves measuring the voltage of the signal at regular intervals, many times per second. Sampling theorem [1] was introduced by Shannon in The theorem states that: 16

4 Fig. 4. Voiceprint [12] Fig. 1. Flowchart depicting the ATM Voice authentication process A sample voiceprint is shown in Fig. 4. The data used in a voiceprint is a sound spectrogram, not a wave form. A spectrogram is basically a graph that shows a sound's frequency on the vertical axis and time on the horizontal axis. Different speech sounds create different shapes within the graph [7]. The actual comparison process is complicated. The system never provides a positive or negative result. Any comparison will only give a probability of how much a particular voiceprint is similar to the voiceprint stored in the database. So, it is the responsibility of the system developer to select a threshold percentage probability value which, under ideal conditions, will decide if the user should be allowed access to the account. In the comparison process, two important definitions come into significance, the false-acceptance rate and false-rejection rate. The False-acceptance Rate (FAR) [8] is the percentage of invalid voiceprints incorrectly authenticated as valid users. The Falserejection Rate (FRR) [8] is the percentage of valid users whose voiceprints are incorrectly rejected. FAR and FRR are inversely proportional to each other. For a high degree of security, if a very low value of FAR is taken, then it will increase the FRR. But, if a lower value of FRR is taken, then the FAR increases. So, a proper value of FAR and FRR should be selected. For voice authentication, the voiceprints can be matched by the process of template matching. Template matching is a simple technique and is very accurate when used properly. Template Matching [2] compares the digitized version of a voiceprint against a digitized template, without performing any significant modifications to either print. It attempts to work out the probability that one voiceprint is the same as another voiceprint based on comparisons of the amplitude of the voice signal at various frequencies at various times over the entire period of the authentication phase. In this way, it gives a much accurate comparison result, but its limitation is that it becomes ineffective in presence of considerable noise in the surroundings. But since ATM machines are placed in a closed cabin, a relatively noiseless environment can be assumed in this case and this technique can be used effectively. IV DISCUSSION A microphone records the voice of a user and is able to recognize this voice later because of the specific characteristics of a human voice which is unique for every person. So, for both the first voice recording and later recognition, the equipments of the same quality [9] are required under basically the same circumstances, because things like sound-recording equipment quality, echo, background noise, etc. can influence the recognition system. 17

5 A. Current usage of voice authentication system reputed companies have implemented systems based on computer voice technologies, such as Visa, AIB Bank, Chase Manhattan Bank, Prudential Securities, Charles Schwab and Trintech [3]. Voice authentication systems have also been used by US and UK police forces to keep track of individuals on bail, parole or curfew orders [3]. Many companies that employed these systems for one application later extended its use to others after finding its effectiveness and the cost savings. At the individual level, products are available which allows private users to use voice authentication to control the extent to which family members can browse the Internet, ensuring children cannot access inappropriate sites [3], e.g., Deep Space Nine voiceprint product, or to remove the need for typing by using Dragon Naturally Speaking. Various other products like Voice Authentication 1.3 screen saver, Nuance Verifier 3.5, etc are also based on the concept of voice authentication discussed in this paper. B. Advantages of voice authentication system Other biometric techniques like retina scan, iris scan and palm vein scan are costlier than voice authentication mechanism. It is cheaper since no extra hardware other than a microphone is required to authenticate the user. It provides a 2-fold security to the ATM users. Physical presence of the user is required for login. The attacker can make the card holder unconscious and pass through the palm vein scan but it is not possible in the case of voice authentication. It is a contactless identification system which enables the applications in public places or in environments where hygiene standards are required, such as in medical applications. The vibration of vocal chords and the patterns created by the physical components resulting in human speech are as distinctive as fingerprints [9]. The familiarity of the telephone device makes it possible for users to comfortably interact with the voice biometric application without any additional training. The ATM user can change his voice password time and again according to the requirement but other biometrics cannot be changed. C. Disadvantages of voice authentication system The voice of a user can change over time. So, the voice password of the user needs to be updated after some period of time. A congested voice during cough, cold or other medical problems can cause difficulty for the voice authentication system in authenticating the valid user. Background noise can make it difficult for voice authentication system to authenticate a correct user. This problem can be solved by installing ATM machines in noiseless surroundings. Also, sealed ATM cabins help in reducing the external noise. The time for which the user speaks the password and the speaking style of the user should not change. Generally, as the duration of voice password increases, it becomes more difficult for an attacker to crack a user s password. But, longer passwords make it more difficult to authenticate a correct user. So, the size of voice passwords should neither be too short, nor too long. V. CONCLUSION The ATMs are vulnerable to threats and the valuable money of card holders is not completely safe. Voice authentication mechanism is a secured method to enhance the security of ATMs. It can be easily implemented in ATMs. Also, it is very cheap, easily implementable and user-friendly. ACKNOWLEDGMENT I would like to acknowledge the contribution of all the people who have helped in reviewing this paper. I would also like to thank my family members and friends who supported me in the course of writing this paper. 18

According to the SysAdmin, Audit, Network, Security Institute (SANS), authentication problems are among the top twenty critical Internet security vulnerabilities. These problems arise from the use of basic

IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased

Definition Biometrics is the use of physiological and/or behavioral characteristics to recognize or verify the identity of individuals through automated means. Description Physiological biometrics is based

User Authentication Methods for Mobile Systems Dr Steven Furnell Network Research Group University of Plymouth United Kingdom Overview The rise of mobility and the need for user authentication A survey

White paper Fujitsu Identity Management and PalmSecure To protect your business, it s critical that you can control who accesses your data, systems and premises. Today, many organizations rely on passwords

Two-Factor Authentication Making Sense of all the Options The electronic age we live in is under attack by information outlaws who love profiting from the good record of others. Now more than ever, organizations

Authentication Scheme for ATM Based On Biometric K. Kavitha, II-MCA IFET COLLEGE OF ENGINEERING DEPARTMENT OF COMPUTER APPLICATIONS ABSTRACT: Biometrics based authentication is a potential candidate to

Voice Signature Overview VoiceSign adds 'speak on the dotted line' to transaction processes. Both business and client benefit from convenient and secure transaction verification process. How it works At

Moving to Multi-factor Authentication Kevin Unthank What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that

Good Afternoon! Since Yesterday we have been talking about threats and how to deal with those threats in order to protect ourselves from individuals and protect people, information, buildings, countries

Biometrics for payments The use of biometrics in banking Biometrics for payments Biometrics for payments The use of biometrics in banking The use of biometrics for authentication is nothing new. But historically,

W.A.R.N. Passive Biometric ID Card Solution Updated November, 2007 Biometric technology has advanced so quickly in the last decade that questions and facts about its cost, use, and accuracy are often confused

Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity

Security Model in E-government with Biometric based on PKI Jaafar.TH. Jaafar Institute of Statistical Studies and Research Department of Computer and Information Sciences Cairo, Egypt Nermin Hamza Institute

Application of Biometric Technology Solutions to Enhance Security Purpose: The purpose of this white paper is to summarize the various applications of fingerprint biometric technology to provide a higher

CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

Objective: The objective of this paper is to provide a basic understanding of the biometric science of keystroke dynamics, and how BioPassword is using keystroke dynamics technology to deliver enterprise

THE ENTERPRISE SECURITY CHALLENGE 75% of big companies globally have been affected by fraud in the last 12 months 50% of organizations classify themselves as highly vulnerable to information and identity

Dynamic (Biometric) Signature Verification The signature is the last remnant of the hand-written document in a digital world, and is considered an acceptable and trustworthy means of authenticating all

Secure communications via IdentaDefense How vulnerable is sensitive data? Communication is the least secure area of digital information. The many benefits of sending information electronically in a digital

White paper Biometrics and the mitigation of card-related fraud The Aadhaar scheme, primarily envisaged to provide every resident proof of identity, holds a great deal of promise for other applications

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge

3D PASSWORD Tejal Kognule Yugandhara Thumbre Snehal Kognule ABSTRACT 3D passwords which are more customizable and very interesting way of authentication. Now the passwords are based on the fact of Human

WHITE PAPER Let s do BI (Biometric Identification) Fingerprint authentication makes life easier by doing away with PINs, passwords and hint questions and answers. Since each fingerprint is unique to an

BIOMETRICS IMPLEMENTING INTO THE HEALTHCARE INDUSTRY 1 BIOMETRICS IMPLEMENTING INTO THE HEALTHCARE INDUSTRY INCREASES THE SECURITY FOR THE DOCTORS, NURSES, AND PATIENTS By: Darrell Shawl THESIS FOR MASTERS

1. What is a credit card and how it differs from a debit card? A payment card is a piece of plastic containing essential banking information about the holder authorizing him to pay for goods and services

Aegis Padlock for business Problem: Securing private information is critical for individuals and mandatory for business. Mobile users need to protect their personal information from identity theft. Businesses

Getting a Handle on Debit and Credit Cards Plastic Fraud State-of-the-art thieves are concentrating on plastic cards. In the past, this type of fraud was not very common. Today, it is a big business for

ARMORVOX IMPOSTORMAPS HOW TO BUILD AN EFFECTIVE VOICE BIOMETRIC SOLUTION IN THREE EASY STEPS ImpostorMaps is a methodology developed by Auraya and available from Auraya resellers worldwide to configure,

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved

Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.

The Virginia Electronic Notarization Assurance Standard Published by Secretary of the Commonwealth Richmond, Virginia January 1, 01 Version 1.0 Table of Contents Scope and Intent... 1 Definitions... Article

Implementation of Knock Based Security System Gunjan Jewani Student, Department of Computer science & Engineering, Nagpur Institute of Technology, Nagpur, India ABSTRACT: Security is one of the most critical

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services Over the past decade, the demands on government agencies to share information across the federal, state and local levels

Lecture 1-10: Spectrograms Overview 1. Spectra of dynamic signals: like many real world signals, speech changes in quality with time. But so far the only spectral analysis we have performed has assumed

Contactless payment by mobile Table of contents 1. What is contactless payment by mobile? 2. What do I need to shop with my mobile phone? 3. How can I manage a Mobile Card? 4. How do I shop with my mobile

IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

PalmSecureID for the EDUCATION MARKETPLACE with Student Identity Integrity With the continued effort to increase efficiencies in the world of education, PalmSecureID can be utilized in a variety of settings